Authenticator relocation method for wimax system

ABSTRACT

A method is provided for Authenticator Relocation in a communication system applying an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. The method of the invention optionally allows secure refresh of the MSK.

FIELD OF THE INVENTION

The present invention generally relates to authentication between mobile terminals and base stations in wireless communication systems.

BACKGROUND OF THE INVENTION

The WiMAX Forum defines specifications for network support of the IEEE 802.16e based radio interface. As of the date of filing this application, the current releases of these specifications are described in the Stage 2 [WMF-T32-005-R010v04 Network-Stage2] and Stage 3 [WMF-T33-004-R010v04 Network-Stage3] documents published by the WiMAX Forum.

To provide communications security in a WiMAX wireless system, a security association is maintained between the mobile terminal and the serving network. This security association is created with the assistance of the subscriber's home network during initial subscription authentication of the user terminal entering the network, and subsequently can be refreshed during re-authentication events. Optimal allocation of system resources during such re-authentication events constitutes an on-going issue.

SUMMARY OF INVENTION

A method is provided for Authenticator Relocation in a communication system that typically applies an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. In one embodiment of the invention an application of a counter value is provided as a token in messages exchanged among elements of the authentication protocol for relocation of the authenticator. In another embodiment of the invention, an application is provided for a secure refresh of the Master Session Key without conducting re-authentication.

BRIEF DESCRIPTION OF THE FIGURES

The teachings of the present invention can be readily understood by considering the following detailed description in conjunction with the accompanying drawings, in which:

FIG. 1 depicts a system architecture in which the method of the invention may be implemented.

FIG. 2 shows a flow sequence for authentication according to a method of the art.

FIG. 3 shows a flow sequence for authentication according to an embodiment the method of the invention.

FIG. 4 shows a flow sequence for authentication according to another embodiment the method of the invention

DETAILED DESCRIPTION

In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular architectures, interfaces, techniques, etc., in order to provide a thorough understanding of illustrative embodiments of the invention. However, it will be apparent to those skilled in the art that the invention may be practiced in other illustrative embodiments that depart from these specific details. In some instances, detailed descriptions of well-known devices, circuits, and methods are omitted so as not to obscure the description of described embodiments with unnecessary detail. All principles, aspects, and embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future.

The invention is described hereafter in terms of a WiMAX application. It should be clear, however, that the invention will be applicable to in other wireless systems, and that the use the WiMAX application in the description following is solely for purposes of illustrating the invention principles, and is not in any way intended to limit the scope of the invention.

FIG. 1 depicts a system architecture in which the inventive method disclosed herein may be implemented. That figure corresponds to the typical Network Reference Model shown on FIG. 6-5 of WiMAX standard WMF-T32-005-R010v04_Network-Stage2.

In wireless communication systems, a security mechanism is generally applied to assure that only authorized users are provided access to the communication system. The protocol carried out to implement such security mechanisms is generally characterized as authentication, and commonly is divided among three entities: (1) a supplicant (or client), such as a mobile station (MS in FIG. 1), requesting access to the communication system, (2) an authenticator that operates as a gate-keeper for access to the communications network (called an Access Service Network Gateway (ASN-GW) in the WiMAX system depicted in FIGS. 1) and (3) an authentication server (illustrated as Home AAA Server in FIG. 1) that determines, based on an exchange of authentication messages (usually encrypted with one of more keys) between the supplicant and the authentication server.

In many wireless communication systems, including WiMAX, authentication is implemented using Extensible Authentication Protocol (EAP). As described in the WiMAX security framework, Sec.7.3, and in particular, Sec.7.3.8, with successful completion of the EAP-based authentication protocol, both the mobile station (MS) and the Home AAA (HAAA) server generate the secret Master Session Key (MSK). This key is sent by the HAAA to the Authenticator function in the Serving System ASN-GW.

This MSK security association is further used to create multiple lower level security keys for information encryption, integrity protection, etc.

The Authenticator function in the ASN-GW is anchored and may remain static for a substantial period of time, while the MS is served by Base Stations within the realm of the Serving ASN. The Authenticator may also remain anchored if the MS roams into a neighboring ASN, as long as that ASN belongs in a fully trusted domain of the same operator. However, as the MS hands over to another ASN crossing the trust boundary, over the R4 interface reference point (as shown in FIG. 1), the security framework prescribes a re-authentication of the MS.

As a result of re-authentication, the new ASN-GW assumes Authenticator responsibilities, and receives the new MSK. In effect, such re-authentication causes relocation of the Authenticator.

In a dynamic high mobility environment, rapid movements of the MS will cause frequent handovers between neighboring ASNs, and thus will require frequent relocations of the Authenticator function from one ASN-GW to another. Conducting such repeated re-authentications imposes additional burden on the backhaul network, AAA infrastructure, and, more importantly, on the Air Interface.

For example, consider an MS that roams from one ASN to another while in the Idle mode, i.e., not actively communicating with the serving system. In order to conduct the re-authentication for Authenticator relocation, the system would need to “wake up” the MS, execute a complex EAP authentication protocol, and then release the MS back into Idle. This operation will strain the MS and system resources.

A method has been provided in the art for Authenticator shifting without conducting re-authentication. The essence of that approach is shown on FIG. 2 and is summarized below:

-   -   The MS recognizes that it has roamed into another ASN by, for         instance, analyzing received indications from an overlaying         serving network about the present Paging Area, and therefore         knows that it needs to update its registered location.         Alternatively, the MS may decide to access the new ASN to         request a session. In either case, the MS sends a Ranging         Request, RNG-REQ, to the closest Base Station in the area.     -   The RNG-REQ message from the MS is received by the Base Station         BS and needs to be validated. To implement that function, the BS         needs to request the access security key AK from the current         Anchor Authenticator that serves this MS. As depicted in step 2         of FIG. 2, the BS typically relays this request over the R6         interface (between BS and ASN-GW) to the local ASN-GW, which         becomes a new Target Authenticator (depicted nA, for “New         Authenticator”) for the MS, to be differentiated from the         current Anchored Serving Authenticator (depicted pA, for         “Previous Authenticator”) associated with the ASN previously         serving the MS.     -   The nA recognizes that the MS is registered in another ASN, and         that its security association is anchored in the pA. As depicted         in step 3 of FIG. 2, the nA forwards the request to the pA over         the R4 interface.     -   The current Authenticator for the MS, pA, generates two nonces,         Nonce1 and Nonce2. The pA then uses the MSK and the Nonce1 in         addition to the identity of the nA to create a message (token)         Relocation Request Token shown in step 4 of FIG. 2 as MSKhash1.         This Relocation Request Token is delivered to the new Target         Authenticator nA in step 4, and forwarded by the nA to the HAAA         over the R3/R5 interface in step 5.     -   The HAAA validates this Token as a proof that the pA (which         currently possesses the secret MSK) agrees to transfer its         Authenticator responsibilities to the nA.     -   The HAAA also checks local policy to verify that the nA is         authorized to perform Authenticator duties for the current MS         session, and is trusted enough to receive the same MSK. In such         case the HAAA sends the current active MSK to the nA in step 6.     -   Upon receiving the MSK, the nA computes the Relocation         Authorization Token MSKhash2 using the received MSK and Nonce2.         The token MSKhash2 is then sent to the pA, in step 7, as the         proof that the nA is now in possession of the MSK, and that HAAA         has authorized the Authenticator transfer.     -   In step 8, the AuthRelocFinResp message closes the transaction         initiated by the message of step 7. In effect, the         AuthRelocFinResp message lets the nA know that the pA validated         and accepted the MSKHash2, is satisfied with it, and treats it         as a proof that the nA with the AAA authorization is now in         possession of the valid MSK. In other words, the Authenticator         Relocation can now be concluded.     -   Subsequent Accounting Stop from the pA (step 9) and Accounting         Start from the nA (step 11) indicate to the HAAA that         Authenticator relocation is completed successfully.

The above-described prior-art procedure suffers from several deficiencies as described below:

-   -   Both Nonce1 and Nonce2 are generated as random numbers by the         same entity, pA, and cannot be verified by any other network         entity for freshness. That is, neither nA nor HAAA can verify         that presented random Nonce1 or Nonce2 has not being used         before. Therefore, there is no guarantee of replay protection         for the Authenticator relocation transaction. As a result, a         rogue ASN-GW can repeat the Relocation Request Token in a         request to the HAAA, and receive the MSK even if the MS is         served elsewhere. Possession of the MSK would allow such a rogue         ASN-GW to eavesdrop on the MS session, and even deny its service         in another system.     -   The prior-art protocol described above assumes that the R4         interface is protected by Transport Layer security measures,         with the result that the pA and nA Authenticators can not         masquerade or spoof their identities. This assumption is not         warranted, as a rogue ASN-GW can insert itself as the         Man-in-the-Middle R4 entity between pA and nA, cache the         Relocation Request Token, and reuse it at a later time for         obtaining the MSK.     -   Reusing the same MSK in more than one ASN increases the scope of         MSK vulnerability, as the compromised ASN-GW can not only         decrypt current MS traffic, but also all previous and future         data of this MS for the whole duration of the MSK validity.

The inventor discloses herein several modifications to the prior art methodology that address the problems identified in that approach. These modifications are shown in FIGS. 3 and 4, which depict two illustrative embodiments of the invention, and described below. Note that steps unchanged from the FIG. 2 flow diagram are generally not repeated in the discussion below of FIGS. 3 and 4.

Specifically,

-   -   In step 3 a, a new variable, Counter 1, based on an         ever-increasing counter, is generated at the pA (as a         replacement for the random nonce Nonce1), along with Nonce 2, to         create the Relocation Request Token.     -   Advantageously, such a counter already exists in the WiMAX/IEEE         802.16e system, and it is defined as the CMAC_KEY_COUNT counter         described in Sec.4.3.4 of the standard         [WMF-T33-001-R010v04_Network-Stage3-Base]. This CMAC-KEY-COUNT         is currently used for a replay protection of management messages         on the Air Interface, and is maintained by the MS         (CMAC_KEY_COUNT_(M)) and Anchor Authenticator pA         (CMAC_KEY_COUNT_(N)). The CMAC_KEY_COUNT_(M) is included in the         Physical Attachment message (RNG-REQ, LU-REQ) sent by the MS to         the serving Base Station.     -   This CMAC_KEY_COUNT_(M) is forwarded by the serving BS to the nA         over the R6 interface during the step 2 transaction of FIGS. 3         and 4, and relayed by the nA to the pA over the R4 interface in         a step 3. In normal operation, the pA will compare the received         CMAC_KEY_COUNT_(M) with the locally maintained         CMAC_KEY_COUNT_(N) and select the larger value as an active         value of the CMAC_KEY_COUNT_(N).     -   The pA can now use the CMAC_KEY_COUNT_(N) in step 3 a as the         Counter 1 parameter in computing the Relocation Request Token.     -   As shown in the step 3 b, values of MSK, Counter 1, Nonce2,         pA-ID and nA-ID are included in computation of the Relocation         Request Token to ensure proper binding of entities involved in         the relocation transaction. This measure prevents possible         identity spoofing by a rogue ASN-GW.     -   The Relocation Request Token, pA-ID, nA-ID, Counter1, and nonce2         are delivered to the new Authenticator nA in step 4, and         forwarded by the nA to the HAAA in step 5.     -   The HAAA recognizes that, according to the requirements defined         in Sec.4.3.4 of the WiMAX standard         [WMF-T33-001-R010v04_Network-Stage3-Base], at the time of         successful EAP authentication the CMAC_KEY_COUNT_(N) is reset to         value 1, and incremented with every successful MS entry into the         network. The HAAA is also aware that, pursuant to the method of         the invention, the pA sets the Counter1 value to be equal to the         current maintained value of the CMAC_KEY_COUNT_(N), which must         be larger than 1 and larger than any other previously received         value of Counter1, until the next re-authentication. Any         violation of this check indicates a replay of the Relocation         Request Token, and must be rejected.     -   After evaluating the value of Counter 1 against the tests of the         prior section (in step 5 a), and finding the Counter 1 value         acceptable, the HAAA validates the Relocation Request Token (in         step 5 b).

As noted above, two illustrative embodiments of the invention are depicted by FIGS. 3 and 4. To this point, operation of the two embodiments are the same in both figures, and such common operation has been described above for both figures. Hereafter, however, invention operation for the two embodiments diverges somewhat and they are separately described in respect to FIG. 3 and FIG. 4.

-   -   In the embodiment depicted in FIG. 3, the HAAA generates a fresh         version of the MSK, denoted MSK′, by using the Counter1 as the         freshness parameter, as shown in step 5 c, to generate MSK′ as a         hash of MSK and Counter 1.     -   The MSK′ is then delivered to the nA from HAAA in step 6.     -   The nA computes the Relocation Authorization Token in step 6 a         using the MSK′ and returns this Token to the pA (in step 7) as a         proof of possession of MSK′.     -   The pA evaluates the Relocation Authorization Token in step 7 a,         validates in step 7 b and completes the Authenticator Relocation         in step 8.     -   The Authenticator Relocation Indicator (ARI) is sent to the MS         in a transaction of step 9, indicating that physical attachment         or location update is completed, and additionally, the MSK is         refreshed. Using this indication, the MS re-computes the MSK         using its current value and the CMAC_KEY_COUNT_(M) as the         freshness parameter.

It should be noted that, if the value of the CMAC_KEY_COUNT_(M) was smaller than the CMAC_KEY_COUNT_(N) maintained at the pA, the MS would not have being admitted into the network. If the CMAC_KEY_COUNT_(M) was equal or larger than previously maintained CMAC_KEY_COUNT_(N), the pA would have updated its CMAC_KEY_COUNT_(N) to be in sync with the CMAC_KEY_COUNT_(M) initially reported by the MS. And therefore, the values of CMAC_KEY_COUNT in the MS, pA, and HAAA are at this point fully synchronized. As a result, the MSK′ computed by the MS, pA, and HAAA are the same.

-   -   Subsequent RADIUS Accounting Stop from the pA (step 10) and         Accounting

Start from the nA (step 11) indicate to the HAAA that Authenticator Relocation is completed.

-   -   At this point, the MS, the HAAA, and the nA can declare the new         MSK=MSK′ to be active, and the pA can delete the old MSK.     -   In an alternative embodiment depicted in FIG. 4, operation of         the invention proceeds without generation of a new MSK. Thus,         for this embodiment, the HAAA does not generate a fresh value of         the MSK, MSK′ (as depicted in step 5 c of FIG. 3), but instead         returns the current valid MSK to the nA (step 6 of FIG. 4).     -   The nA computes the Relocation Authorization Token in step 6 a         using the MSK and returns this Token to the pA, in step 7, as a         proof of possession of MSK.     -   The pA evaluates the Relocation Authorization Token in step 7 a,         validates in step 7 b, and completes the Authenticator         Relocation in step 8.     -   The Ranging Response RNG-RSP is sent to the MS in a transaction         of step 9, indicating that physical attachment or location         update is completed without modification of the MSK.

In summary, the modified Authenticator Relocation procedure of the invention methodology, as described herein, provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS, while optionally allowing secure refresh of the MSK.

Herein, the inventors have disclosed a method for supporting mobility of a roaming mobile terminal from one serving system to another, with relocation of the Authenticator function, but without the need for Re-authenticating the mobile terminal, that provides significant improvements in network security over methods of the art. Numerous modifications and alternative embodiments of the invention will be apparent to those skilled in the art in view of the foregoing description.

Accordingly, this description is to be construed as illustrative only and is for the purpose of teaching those skilled in the art the best mode of carrying out the invention and is not intended to illustrate all possible forms thereof. It is also understood that the words used are words of description, rather that limitation, and that details of the structure may be varied substantially without departing from the spirit of the invention, and that the exclusive use of all modifications which come within the scope of the appended claims is reserved. 

1. A method for authentication comprising: forming a token as a function of two or more variables wherein one of the variables is a counter value; evaluating the token at an authentication entity to determine validity of a request associated with the token.
 2. The method of claim 1 wherein another of the two or more variables is a master session key (MSK).
 3. The method of claim 1 wherein the counter value is provided from an associated entity and is initially generated for a function other than authentication.
 4. The method of claim 2 wherein a second MSK is generated as a function of the counter value and the MSK.
 5. The method of claim 2 wherein the token is sent from a first authentication entity to a second authentication entity.
 6. The method of claim 5 wherein the first authentication entity has a current relationship with an authenticated user, and the sending of the token occurs as the authenticated user moves to establish an authentication relationship with the second authentication entity.
 7. The method of claim 5 wherein the second authentication sends the received token and an indicia of its identity to an authentication server.
 8. The method of claim 7 wherein the authentication server evaluates the token for authentication, and upon authenticating the token, generates a second token for forwarding to the first authentication entity.
 9. The method of claim 8 wherein the second token is generated as a function of the counter value and the MSK.
 10. The method of claim 8 wherein the second token is generated as a function of the counter value and the second MSK.
 11. The method of claim 8 wherein the authentication relationship for the user is transferred from the first authentication entity to the second authentication entity upon evaluation of the second token at the first authentication entity.
 12. A method for transferring an authentication relationship for a user from a first authentication entity to a second authentication entity comprising: generating, at the first authentication entity, a first token as a function of a Master Session Key (MSK) and a counter value; sending the first token from the first authentication entity to the second authentication entity; sending the first token from the second authentication entity to an authentication server, along with an indicia of identity for the second authentication entity. evaluating the first token for authentication at the authentication server, and upon authenticating the first token, generating a second token as a function of the MSK and the counter value for forwarding to the first authentication entity; evaluating the second token at the first authentication entity and transferring the authentication relationship for the user from the first to the second authentication entity.
 13. The method of claim 12 wherein the counter value is provided from an associated entity and is initially generated for a function other than authentication.
 14. A method for transferring an authentication relationship for a user from a first authentication entity to a second authentication entity comprising: generating, at the first authentication entity, a first token as a function of a Master Session Key (MSK) and a counter value; sending the first token from the first authentication entity to the second authentication entity; sending the first token from the second authentication entity to an authentication server, along with an indicia of identity for the second authentication entity. evaluating the first token for authentication at the authentication server, generating a second MSK value by the authentication server as a function of the MSK and the counter value; upon authenticating the first token by the authentication server, generating a second token as a function of the second MSK and the counter value for forwarding to the first authentication entity; evaluating the second token at the first authentication entity and transferring the authentication relationship for the user from the first to the second authentication entity.
 15. The method of claim 14 wherein the counter value is provided from an associated entity and is initially generated for a function other than authentication. 